Page MenuHomePhabricator
Create Task
Maniphest T337640

Add mw-parser-output to edit notices
Open, Needs TriagePublicFeature
Actions

Description

Since T201613: Unify 'edit notices' technology stack was done, I thought this can be considered: the edit notices should output mw-parser-output class by default so they can be styled by TemplateStyles. While they aren’t ‘article content’ per se, TemplateStyles extension requires it for its CSS to work, which makes template editors (like us in ruWP!) resort to hacks like the one in https://ru.wikipedia.org/wiki/Шаблон:Editnotice (wrapping content into <div class="mw-parser-output">) if we want to style editnotices using TemplateStyles.

I think a better solution would be to just add the class to all editnotices by default, since they can be expected to contain trustworthy HTML code that should be able to be targeted by TemplateStyles if needed, even while they are not article content. This will make those hacks obsolete and, for example, allow administrators across wikis to make more responsive interface messages/templates more easily.

Related Objects

Event Timeline

stjn renamed this task from Add mw-parser-output to editnotices to Add mw-parser-output to edit notices.May 28 2023, 2:45 AM
stjn created this task.
Izno added a subscriber: Izno.May 28 2023, 3:32 AM
matmarex added a subscriber: matmarex.May 29 2023, 5:35 PM

I like this idea. It also reminds me of T188443: Wrap indicators in mw-parser-output class, which was fixed about a year ago.

I think we need to carefully decide which messages should get the wrapper. You wrote "edit notices", but it's an ambiguous term, people have used it to refer to either all of the edit intro messages shown above the edit form (including e.g. the message about editing while logged out), or just the "real" edit notices (those generated from MediaWiki:Editnotice-… messages).

I suggest adding it to the following to start with:

  • The edit notices
  • The "talkpagetext" message
  • The "editintro" message (from &editintro= parameter)

I don't want to add it to all edit intro messages because of the potential for abuse from untrusted users. I don't think this would be a very severe problem, because no one reads these messages anyway, but still. One potential attack I can think of is using <templatestyles> in the page passed in the &editintro= parameter to hide the big red warning about the risks of user JS when editing Special:MyPage/common.js.

For reference, all possible edit intro messages can be found in this code: https://gerrit.wikimedia.org/g/mediawiki/core/+/1eb12c447019025b8cd7b6e1af06db256ec5cac8/includes/editpage/IntroMessageBuilder.php#140
and (mostly) all existing uses of <div class="mw-parser-output"> etc here: https://global-search.toolforge.org/?q=%5B%5E.%5Dmw-parser-output&regex=1&namespaces=8%2C10&title=%5B%5E.%5D%2B

Tgr added a subscriber: Tgr.May 29 2023, 10:34 PM
In T337640#8887076, @matmarex wrote:

One potential attack I can think of is using <templatestyles> in the page passed in the &editintro= parameter to hide the big red warning about the risks of user JS when editing Special:MyPage/common.js.

Note that as long as the editintro is styleable, the attacker can just position it on top of the JS warning. On modern browsers this can be prevented with contain: paint (caniuse), not sure if that's considered good enough.

stjn added a comment.May 30 2023, 5:23 AM

I think just adding it to edit notices without touching upon edit intros could be good enough. The only problem is that there might be an expectation for them to work the same in all cases, and that would obviously not be the case. TemplateStyles does have a mechanism of containing the styles using wrapper parameter (see docs), but it is probably impossible to require its use in certain cases like this.

Pcoombe added a project: MediaWiki-Editnotice.Jul 3 2023, 9:21 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL